Nmap Development mailing list archives
multiple users check with http-auth script
From: Dino Tesic <cadavir () gmail com>
Date: Tue, 17 Jan 2012 21:01:02 +0100
Hello Folks
I need some help!
I'm using nmap 5.51 and I'm wondering is there any chance to force
"http-auth" script to go thru all accounts in authcombination before
quiting.
Let's say for example there is test-server with multiple accounts:
test:test - restricted account for testing connection
user:user - restricted account with ability to view all settings (but
no modification permission)
admin:admin - admin account without any restriction
I'm using this list (for possible auth-combination) to detect valid users
local authcombinations= {
{ username = "admin", password = ""},
{ username = "admin", password = "admin"},
{ username = "admin", password = "nimda"},
{ username = "admin", password = "router"},
{ username = "user", password = "user"},
{ username = "root", password = "admin"},
{ username = "test", password = "test"},
}
but everytime it matches one valid account next account in the list
will be ignored, and what is more confusing it prints all other
accounts in the list after matching one.
when admin:admin account is valid it will print:
HTTP server may accept admin:admin combination for Basic authentication.
HTTP server may accept admin:nimda combination for Basic authentication.
HTTP server may accept admin:router combination for Basic authentication.
HTTP server may accept user:user combination for Basic authentication.
HTTP server may accept root:admin combination for Basic authentication.
HTTP server may accept test:test combination for Basic authentication.
... BUT only first one is checked and valid ...
if user:user account is valid it will print:
HTTP server may accept user:user combination for Basic authentication.
HTTP server may accept root:admin combination for Basic authentication.
HTTP server may accept test:test combination for Basic authentication.
and so on...
is there any way to fix this?
thanks
Dino
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- multiple users check with http-auth script Dino Tesic (Jan 18)
- Re: multiple users check with http-auth script Patrik Karlsson (Jan 18)
- Re: multiple users check with http-auth script Dino Tesic (Jan 19)
- Re: multiple users check with http-auth script Patrik Karlsson (Jan 18)